Hello Rahni:
In message <6369f9d0-004b-4b6c-8186-4dcb4a165...@yahoo.com>,
Yahoo writes:
>I'm working on monitoring a /var/log/messages, which is updated nearly every
>10 seconds with a message from a HADR application.
>
>I have the context set on that file to /var/log/messages, and I have
>a window set to 1 day in seconds, but SEC is not ignoring subsequent
>matches. Instead, I am getting the action fired off just as often as
>the message is appearing in /var/log/messages....
Can I assume $1 below is the timestamp of the event? If so:
>Here is my definition:
>
>type=SingleWithSuppress
>ptype=RegExp
>pattern=.*([0-9]{2}:[0-9]{2}:[0-9]{2}).*hadr.*\sReturning\s1.*
>context=[_FILE_EVENT_/var/log/messages]
>desc=As of $1, this host is currently primary.
^^^^^
I think this is the problem.
>action=pipe '$0%.nl --- %s --- $+{_inputsrc}' /bin/cat >>
>/var/log/failover-status_sec
>window=86400
>
>No matter what value I put for the window, it is ignored...
Correlations with windows are scoped by the description
string. I.E. if you generate a new description string a new
correlation is created. You can see the running correlations by
sending a kill -USR1 to the sec process (see the man page for
details). I'll bet if you do that you will see one correlation
starting every 10 seconds. My guess is you want to capture the host
name and use that in your description string and not the timestamp.
See the man page and look for the section:
Rules and Event Correlation Operations
Pay attention to the sentence:
In order to distinguish one event correlation operation from
another, SEC assigns a key to every operation that is composed
from the rule file name, the rule ID, and the event description
string that is derived from the desc parameter of the rule
definition (by replacing variables with their values).
Hope this helps. Have a great day.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
